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Current  Thinking... 


■  “Cloud  computing  will  be  as  influential  as  E-business.”  - 
Gartner 

■  “It's  the  modern  version  of  the  timesharing  model  from  the 
1960s...”  -  Bruce  Schneier 

■  “We  can  no  more  see  the  full  impact  of  the  cloud  than  Henry 
Ford  foresaw  the  impact  of  his  desire  to  produce  more  cars 
in  less  time.”  -  Russ  Daniels 

■  “I  think  cloud  computing  has  some  security  implications,  but 
nobody  really  has  a  handle  on  what  cloud  computing  even 
is.”  -  Marcus  Ranum 
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NIST  Risk  Management  Framework 


CATEGORIZE 

Information  System 


Define  criticality/sensitivity  of 
information  system  according  to 
potential  worst-case,  adverse 
impact  to  mission/business. 

Continuously  track  changes  to  the 
information  system  that  may  affect 
security  controls  and  reassess 
control  effectiveness. 

Security  Life  Cycle 

t  AUTHORIZE 

Information  System 


t 


MONITOR 

Security  Controls 


Select  baseline  security  controls; 

apply  tailoring  guidance  and 
supplement  controls  as  needed 
based  on  risk  assessment. 


IMPLEMENT 

Security  Controls 


Determine  risk  to  organizational 
operations  and  assets,  individuals, 
other  organizations,  and  the  Nation; 
if  acceptable,  authorize  operation. 


ASSESS 
Security  Controls 


Determine  security  control  effectiveness 
(i.e.,  controls  implemented  correctly, 
operating  as  intended,  meeting  security 
requirements  for  information  system). 


Implement  security  controls  within 
enterprise  architecture  using  sound 
systems  engineering  practices;  apply 
security  configuration  settings. 
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Impact  Level  Drives  Control  Selection 


POTENTIAL  IMPACT 

Security  Objective 

LOW 

MODERATE 

HIGH 

C&n^dentiiilin' 

Pfiesen'ing  autlioiized 
restrictioQS  on  infoimiatioii 

access  and  disclosuie. 
mcluding  meaii&  for 
piotecting  pei'^^onal 
piivacy  and  propiietaiy- 
infoimation. 

[44U.S.C.,  SEC.  3542] 

Tlie  unauthorized 

disclosure  of  infoimation 
could  be  expected  to  have 
a  limited  adverse  effect  on 
organizational  operations^ 
organizational  assets,  or 
individuals. 

The  unauthorized 

disclosure  of  infoimation 
could  be  expected  to  hav^e 
a  seiious  adverse  effect  on 
organizational  operations, 
organizational  assets,  or 
individuals. 

The  unauthorized 

disclosure  of  information 
could  be  expected  to  have 
a  severe  or  catastrophic 
adverse  effect  on 
organizational  operations, 
organizational  assets,  or 
individuals. 

Integrity- 

Gnardma  against  impiopei' 
infoimation  modification 

Of  destriTclion,  and 
includes  ensuring 
infoimation  non- 
repudiation  and 
authentic  inr. 

[44U.S.C.,  SEC.  3542] 

The  unauthorized 
modification  or 

destntction  of  information 
could  be  expected  to  have 
a  limited  adverse  effect  on 
organizational  operations, 
organizational  assets,  or 
individitals. 

The  unauthorized 
modification  or 

de  struction  of  information 
could  be  expected  to  have 
a  serious  adverse  effect  on 
organizational  operations, 
organizational  assets,  or 
individuals. 

The  unauthorized 
modification  or 

destiuction  of  infoimation 
could  be  expected  to  hav’e 
a  severe  or  catastrophic 
adverse  effect  on 
organizational  operations, 
organizational  assets,  or 
individuals. 

Arm!  ability 

Ensuring  timely  and 
reliable  access  to  and  use 

of  iofonnation. 

[44U.S.C.,  SEC.  3542] 

The  disiuption  of  access  to 
or  use  of  infoimation  or  an 
information  system  could 
be  expected  to  have  a 
limited  adverse  effect  on 
organizational  operations, 
organizational  assets,  or 
individitals. 

The  disntption  of  access  to 
or  use  of  infoimation  or  an 
infoimation  s^'stem  could 
be  expected  to  hav^e  a 
sedous  adverse  effect  on 
organizational  operations, 
organizational  assets,  or 
individuals. 

The  disruption  of  access  to 
or  use  of  ioformation  or  an 
infoimation  system  could 
be  expected  to  have  a 
severe  or  catastiopLic 
adverse  effect  on 
organizational  operations, 
organizational  assets,  or 
individuals. 
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18  Security  Control  Families  (NIST  SP  800-53) 


IDENTIFIER 

FAMILY 

DOD  lA  Control 
Subject  Areas 
(DODI  8500.2) 

AC 

Access  Control 

AT 

Awareness  and  Training 

AU 

Audit  and  Accountability 

CA 

Security  Assessment  and  Authorization 

CM 

Configuration  Management 

CP 

Contingency  Planning 

Abbreviation 

Subject  Area  Name 

lA 

Identification  and  Authentication 

DC 

Security  Design  &  Configuration 

IR 

Incident  Response 

lA 

Identification  and  Authentication 

MA 

Maintenance 

EC 

Enclave  and  Computing  Environment 

MP 

Media  Protection 

EB 

Enclave  Boundary  Defense 

PE 

Physical  and  Environmental  Protection 

PE 

Physical  and  Environmental 

PL 

Planning 

PR 

Personnel 

PS 

Personnel  Security 

CO 

Continuity 

RA 

Risk  Assessment 

VI 

Vulnerability  and  Incident  Management 

SA 

System  and  Services  Acquisition 

SC 

System  and  Communications  Protection 

SI 

System  and  Infomiation  Integrity 

PM 

Program  Management 
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Cloud  Assurance — What  will  it  take? 


■  “...the  certainty  that  a  Service  Provider  can  operate  their 
cioud  offering  at  a  prescribed  ievei.” 

■  Assurance  is  the  grounds  for  confidence  that  the  security 
controis  impiemented  are  effective  in  their  appiication. 

■  For  iow-impact  systems,  the  assurance  requirement  is  that 
“the  security  controi  is  in  effect  and  it  meets  expiicitiy 
identified  functionai  requirements  in  the  controi  statement.” 

■  The  controis  are  in  piace  with  the  expectation  that  no 
obvious  errors  exist,  and  as  fiaws  are  discovered,  they  are 
discussed  in  a  timeiy  manner. 
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Issues  and  Assumptions 


■  Issues 

-  Applicable  cloud  security  standards 

-  Compensating  security  controls  to  mitigate 

-  Customers  and  service  provider  actions  to  achieve  cloud  assurance 

■  Assumptions 

-  NIST  SP  800-53  security  controls  for  a  low-impact  system 
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Example  of  Low-Risk  laaS  in  Hybrid 
Cloud  Deployment 


Privacy 

and 

Security 


Test 

Server 


^3 

0 

A 

Community  Cloud 
(shared  by  a 
community,  e.g., 
DISA  RACE) 


Development 

Server 


Private  Cloud 
(a  single  agency, 
e.g.,  NASA 
Nebula) 


Cost 
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Relevant  Security  Standards,  Certifications, 
and  Guidance 


■  NIST  SP  800  series 

■  ISO/IEC  27001  framework 

■  Cloud  Security  Alliance 

■  Statement  of  Accounting  Standards,  number  70  (SAS-70) 
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Cloud  Security  Certification  Analysis 


Cloud  Service 
Provider 
Responsibility 


FISMA 

CSA 

ISO 

Domains  / 

27001 

> 

f 

Cloud  Features 

Analyze 


J 


Security  gaps 
I 

Compensating 

Controls 


Government 

Agency 

Responsibiiity 
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Criteria  for  Difficulty  of  NIST  800-53  Control 
Family  Certification  Characteristics 


Least  Difficult 

Most  Difficult 

•  Mature  practices  exist 

•  No  integration  issues 

•  Technology  is  available  if 
necessary 

•  Compensating  controls  are 
unnecessary 

•  Concepts  and  theory  exist  but 
with  immature  implementation 
methods 

•  Technology  integration  issues 
that  impede  implementation 

•  Compensating  controls  that  are 
difficult  to  implement 
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Results  Categorization  of  NIST  SP  800-53 
Control  Families 


Least  Difficult 

Most  Difficult 

•  Awareness  and  Training  (AT) 

•  Audit  and  Accountability  (AU) 

•  Physical  and  Environmental 
Protection  (PE) 

•  Personnel  Security  (PS) 

•  Contingency  Planning  (CP) 

•  Incident  Response  (IR) 

•  Maintenance  (MA) 

•  Planning  (PL) 

•  Program  Management  (PM) 

•  System  and  Services 

Acquisition  (SA) 

•  System  and  Information 

Integrity  (SI) 

•  Security  Assessment  and 
Authorization  (CA) 

•  System  and  Communications 
Protection  (SC) 

•  Risk  Assessment  (RA) 

•  Media  Protection  (MP) 

•  Identification  and  Authentication 
(lA) 

•  Access  Control  (AC) 

•  Configuration  Management 
(CM) 
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Description  of  Most  Difficult  Results 


Most  Difficult 

•  Security  Assessment  and  Authorization  (CA) 

-  No  mandate 

-  No  metrics 

-  Integration  issues  unknown 

•  System  and  Communications  Protection  (SC) 

-  Boundary  protection  not  enforced 

-  Lack  of  FIPS  140-2  support 

•  Risk  Assessment  (RA) 

-  No  metrics 

-  Transparency  required 

-  Unique  for  every  instance 
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Description  of  Most  Difficult  Results 


Most  Difficult 

•  Media  Protection  (MP) 

-  Inconsistent  protection  methods 

-  Unverifiable  data  destruction  and  reuse  methods 

-  Data  aggregation  vulnerabilities 

•  Identification  and  Authentication  (lA) 

-  LDAP  and  Active  directory  integration  issues 

-  Immature  concepts 

•  Access  Control  (AC) 

-  Customer  configuration  challenges 

-  Transparency  required 

•  Configuration  Management  (CM) 

-  Patch  management  not  mandated 

-  No  metrics 
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Compensating  Controls 


Unmet  Control 

Compensating 

Control 

Customer 

Responsibility 

Service  Provider 
Responsibility 

No  certification 
mandate 

Conduct  a  third-party 

assessment 

periodically 

Require  CA  in  SLA 

Publish  results. 
Provide  Security 
Architecture. 

Boundary 
protection  not 
enforced 

Enact  strong  Denial 
of  Service  (DoS) 
protection 

Require  DoS  in  SLA 

Enable  DoS  to  the 
edge 

No  RA  mandates 
or  metrics 

Evaluate  risk  at  a 
granular  level 

Ensure  satisfactory 
risk  mgmt  methods 

Be  subject  to  an  RA 

Unverifiable 
protection  and 
data  destruction 
methods 

Sanitize  media  before 
contract  termination. 
Encrypt  data  to 
prevent  disclosure. 

Establish 

frameworks  against 
attacks 

Test  for  audit  logging 
and  reports 
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Compensating  Controls  (concluded) 


Unmet  Control 

Compensating 

Control 

Customer 

Responsibility 

Service  Provider 
Responsibility 

Access  Control 
configuration  is 
challenging 

Define  an  access 
schema  before 
deploying  data  to  the 
cloud 

Categorize. 

Define  roles. 

Install  IDS,  Firewalls. 

Deny  all  access 
default 

Integration  issues 
with  LDAP  and  AD 

Use  identity 
management 
standards  such  as 
SAMLand  WS- 
Federation 

Configure  user  and 
group  policies  on  a 
AAA  server 

Support  SAML  and 
XACML 

Patch 

management  not 
mandated 

Be  proactive  with 
vulnerability 
protection.  Institute 
adequate  patch 
management  policies 
and  procedures. 

Conduct  vulnerability 
assessments. 

Enforce  NAC 
prerequisites. 

Support  dynamic 
analysis  web 
application  security 
tools 
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Model  -  Allocate  controls,  identify  gaps, 
assign  responsibility  for  compensation 
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Future  Responsibilities  Roadmap 


Service  Providers 

Customers 

Standards  Bodies 

•  Service  providers 
must  build  security 
into  the  service 
offering 

•  Service  providers 
must  provide 
transparent  SLAs 

•  Service  providers 
must  allow  for 
independent  security 
assessments 

•  Customers  eager  to 
migrate  must  accept 
some  risks 

•  Customers  must  be 
wary  of  SLAs 

•  NIST-leading  Cloud 
Computing  Security 
Working  Group  to 
establish  baseline 
standards  and 
authorization  process 
for  public  clouds 

•  Cloud  Security  Alliance 
(industry  group) 
seeking  to  establish 
security  guidelines 
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Contact  Information 


Elizabeth  Brown  ebrown@mitre.orQ 
Chris  Braganza  braqanza@mitre.orq 
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